Web Security Update: North Korean APTs Target Devs, Gemini LLM Exploit & JavaScript Bundle Risks

5 Malicious Chrome Extensions Attacking Enterprise HR and ERP Platforms for Complete Takeover

• Five malicious Chrome extensions target enterprise HR/ERP platforms with advanced takeover techniques.
• They steal authentication tokens, disable security, hijack sessions, and bypass MFA for fraud.
• Mitigation requires strict extension policies, endpoint security, and comprehensive employee training.

Source: Teamwin | Date: January 20, 2026

17 New Malicious Chrome GhostPoster Extensions with 840,000+ Installs Steals User Data

• 17 malicious "GhostPoster" extensions across Chrome/Firefox/Edge have over 840,000 installations.
• They masquerade as utilities like 'Google Translate' to steal browser history, tokens, and form data.
• This cross-platform attack bypasses official store security, posing significant risk to users.

Source: Teamwin | Date: January 19, 2026

CrashFix – Hackers Using Malicious Extensions to Display Fake Browser Warnings

• A "CrashFix" extension uses social engineering to deliberately crash browsers and display fake warnings.
• It exploits extension privileges to manipulate UI, trigger panic, and trick users.
• Users are manipulated into downloading malware or revealing sensitive information.

Source: Teamwin | Date: January 19, 2026

A fake ad blocker crashes your browser, then uses ClickFix tricks to make you run the malware yourself

• Fake ad blocker crashes browsers using "ClickFix" social engineering tactics.
• Users are tricked into manually running malicious code, distributing malware.
• This sophisticated technique exploits user panic to install threats.

Source: Malwarebytes Blog | Date: January 20, 2026

Researchers found sleeper browser extensions that spy on users and install backdoors

• Researchers discovered "sleeper" browser extensions with hidden spyware capabilities.
• These extensions can install backdoors, specifically targeting Firefox users.
• Seemingly innocuous add-ons pose a significant threat to user compromise.

Source: Malwarebytes Blog | Date: January 19, 2026

Researchers uncovered data theft method for Microsoft Copilot

• A new Microsoft Copilot vulnerability allows data theft via a single malicious link.
• This vulnerability highlights significant risks inherent in AI-powered platforms.
• Users should be aware of potential data compromise from malicious links.

Source: Malwarebytes Blog | Date: January 15, 2026

North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

• North Korea-linked APT group "Onyx Sleet" (also known as ScarCruft, APT37, and Reaper) is targeting software developers with malicious Visual Studio Code extensions disguised as legitimate tools.
• The campaign uses social engineering on GitHub to lure developers into installing trojanized extensions from a fake repository, leading to the execution of a custom backdoor.
• The malicious extensions, such as "Cloud-Sec" and "Azure Defender", aim to compromise developer machines and potentially gain access to sensitive intellectual property and credentials.

Source: The Hacker News | Date: January 20, 2026

Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto

• The Evelyn Stealer malware is distributed via trojanized Visual Studio Code extensions, specifically targeting developers to exfiltrate sensitive data.
• The malware is capable of stealing credentials for popular platforms like GitHub, AWS, and Google, as well as cryptocurrency wallet data and SSH keys.
• This campaign highlights the growing threat of supply chain attacks targeting developer environments through seemingly innocuous extensions, emphasizing the need for vigilance.

Source: The Hacker News | Date: January 20, 2026

Why Secrets in JavaScript Bundles are Still Being Missed

• Sensitive information, including API keys, tokens, and database credentials, is frequently exposed in client-side JavaScript bundles due to improper handling during development and deployment.
• These exposed secrets can be easily discovered by attackers using automated tools or manual inspection of browser developer tools, leading to unauthorized access and data breaches.
• Developers often mistakenly believe that secrets are secure if they are not directly visible in the code, overlooking the fact that client-side bundles are publicly accessible resources.

Source: The Hacker News | Date: January 20, 2026

When Language Becomes the Attack Surface: Inside the Google Gemini Calendar Exploit

• Researchers uncovered a prompt injection exploit in Google Gemini's Calendar feature that allowed unauthorized access and manipulation of user data.
• The exploit leveraged carefully crafted language inputs to bypass security measures, demonstrating how large language models (LLMs) can introduce new attack surfaces in web applications.
• This incident underscores the critical need for robust security testing and mitigation strategies tailored to the unique vulnerabilities of AI-powered web features.

Source: The Cyber Express | Date: January 20, 2026

References

1. North Korea-Linked Hackers Target Developers via Malicious VS Code Projects - The Hacker News
2. Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto - The Hacker News
3. Why Secrets in JavaScript Bundles are Still Being Missed - The Hacker News
4. When Language Becomes the Attack Surface: Inside the Google Gemini Calendar Exploit - The Cyber Express